What’s In a P@55w0rd?

“Password must be at least 85 characters long, contain a number, an uppercase letter, a fruit, three chemical elements and a hieroglyphic”

… not quite, but this is how it can sometimes feel when you’re caught off guard with an expiring password and need to think of a new one on the spot. It can seem that for no obvious reason, you’re required to meet these obscure conditions when setting a new password, but rest assured, there is good reason for this! Password length and complexity play a crucial part in increasing the time taken for a password to be cracked. Let’s take a look at the numbers…

Length

I will assume that a standard processor tests 10 million keys per second, and that each character will represent 1 key. Let’s only consider the lower case alphabet and see how password length affects time taken to crack a password by 1 computer:

Length (abc etc)

Number of Possibilities

Time

1

26

2.6 × 10⁻⁶ seconds

2

26² = 676

6.76 × 10⁻⁵ seconds

3

26³= 17, 576

1.76 × 10⁻³ seconds

4

26⁴ = 456, 976

0.0457 seconds

5

26⁵ = 12 million

1.19 seconds

6

26⁶ = 309 million

30.9 seconds

7

26⁷ = 8 billion

13.4 minutes

8

26⁸ = 210 billion

5.8 hours

As the length of the password increases, the number of possibilities increases by a factor of 26 every time a letter is added (because there are 26 letters to choose from). So, when it comes to passwords, size does matter! Changing from a 6 character password to an 8 character one takes the time to crack from just over 30 seconds to 5 hrs 48 mins.

Complexity

So 5 hours is definitely better than 30 seconds but still, would you be satisfied with knowing that should someone wish to invest that time, they could decipher your password and access your data? If you’re answering ‘No’ to that then you should definitely be considering using more than just lower case letters…

Let’s look at incorporating upper case letters into our password, then numbers, then ASCII special characters (of which there are 26, 10, 33 choices respectively).

Upper Case Letters

Length (AaBb…)

Number of Possibilities

Time

2

52² = 2,704

2.7 × 10⁻⁴ seconds

3

52³ = 140, 608

0.014 seconds

4

52⁴ = 7 million

0.73 seconds

5

52⁵ = 380 million

38 seconds

6

52⁶ = 20 billion

33 minutes

7

52⁷ = 1 trillion

1.2 days

8

52⁸ = 53 trillion

62 days

Numbers

Length (Aa1Bb2…)

Number of Possibilities

Time

2

62² = 3,844

3.8 × 10⁻⁴ seconds

3

62³ = 238,328

0.024 seconds

4

62⁴ = 15 million

1.5 seconds

5

62⁵ = 916 million

1.5 minutes

6

62⁶ = 57 billion

1.6 hours

7

62⁷ = 3.5 trillion

4 days

8

62⁸ = 218 trillion

253 days

Special Characters

Length (Aa1@Bb2!…)

Number of Possibilities

Time

2

95²= 9,025

9.1 X 10⁻⁴ seconds

3

95³ = 857,375

0.085 seconds

4

95⁴= 81 million

8.15 seconds

5

95⁵= 8 billion

12 minutes

6

95⁶= 735 billion

20.4 hours

7

95⁷ = 70 trillion

81 days

8

95⁸= 6.5 quadrillion

21 years

21 years… that’s more like it!

As you can see, both length and complexity contribute hugely to the security of your password.

Disadvantages

A long and complex password does however have its drawbacks; they can be difficult to memorise which tends to have three common consequences:

Many are likely to be re-used (which is not advised)

They’re often stored insecurely. E.g. Handwritten on paper and kept close to a device

They frequently feature predictable character substitutes. E.g Replacing an ‘S’ with a ‘5’. P@55w0rd is not a strong password (for numerous reasons)!

There are various facets to consider when choosing your password, and complexity is just one of them. Government research has found that memorability is one of the most important factors for choosing an effective password. With this is mind, they recommend using the “Three Random Words” strategy. This involves concatenating three words, that are memorable but should not be easy to guess, to form your password. Numbers and special characters can still be incorporated if you like. For more on this see www.cyberaware.gov.uk/passwords

There are no hard and fast rules when it comes to password security but in today’s online world, where just about everything we do is password protected, it’s imperative that we don’t give cyber criminals easy opportunities. Make it difficult for them, choose strong and secure passwords and reduce the risk of becoming a victim of a successful password hack.

If you’d like to know more about password security, here are some places to look…

Cyber Aware – This is a government website aimed at educating people about cyber security, including passwords.

Your email address will not be published. Required fields are marked *

Comment *

Name *

Email *

Website

We exist to create a world where any organisation can achieve perpetual forward motion and continuous competitive edge.

Our dedicated approach to technology services, cyber and information security services and business change consultancy can help you achieve this through ever-evolving technology, culture and processes.